These sorts of adversary-in-the-middle attacks have grown increasingly common. In 2022, for instance, a single group used it in a series of attacks that stole more than 10,000 credentials from 137 organizations, and led to the network compromise of authentication provider Twilio, among others.
One company that was targeted in the attack campaign but wasn’t breached was content delivery network Cloudflare. The reason was its use of MFA based on WebAuthn, the standard that makes passkeys work. Services that use WebAuthn are highly resistant to adversary-in-the-middle attacks, if not absolutely immune. There are two reasons for this.
First, WebAuthn credentials are cryptographically bound to the URL they authenticate. In the above example, the credentials would work only on https://accounts.google.com. If a victim tried to use the credential to log into https://accounts.google.com.evilproxy[.]com, the login would fail each time.
Additionally, WebAuthn-based authentication must happen on or in proximity to the device the victim is using to log into the account. This occurs because the credential is also cryptographically bound to a victim device. Because the authentication can only happen on the victim device, it’s impossible for an adversary in the middle to actually use it in a phishing attack on their own device.
Phishing has emerged as one of the most vexing security problems facing organizations, their employees, and their users. MFA in the form of a one-time password, or traditional push notifications, definitely adds friction to the phishing process, but with proxy-in-the-middle attacks becoming easier and more common, the effectiveness of these forms of MFA is growing increasingly easier to defeat.
WebAuthn-based MFA comes in multiple forms; a key, known as a passkey, stored on a phone, computer, Yubikey, or similar dongle is the most common example. Thousands of sites now support WebAuthn, and it’s easy for most end users to enroll. As a side note, MFA based on U2F, the predecessor standard to WebAuthn, also prevents adversary-in-the-middle attacks from succeeding, although the latter provides flexibility and additional security.
Post updated to add details about passkeys.
